All it took for Edward Snowden to grab roughly 1.7 million classified documents from the National Security Agency’s network was an open-source Web crawler and a few scripts, according to a New York Timesreport on Sunday. An investigation of Snowden’s activities at the NSA outposts in Hawaii apparently found that he was able to retrieve millions of classified documents in an automated fashion using what the Times described as “low-cost” software. That software was likely based on the open source GNU Wget utility.

Intelligence officials would not say what the tool was, but said they believed it was "more powerful" than Wget. The anonymous sources don’t add much to the narrative of Snowden’s extraction of secret documents, though they do start to put a number on the volume of what officials believe he made off with. But the real sting of the latest data is that the NSA’s internal IT operations are portrayed as even more fast and loose than before. Anyone with admin access might have been able to do what Snowden did.

Walking through the spider webs

Wget is the tool that was used by Chelsea Manning (formerly Bradley Manning) hundreds of times to retrieve classified files off Department of Defense networks that she later provided to WikiLeaks. It can be used to download a series of interlinked files from websites—downloading a webpage and then every document linked from that page, as well as every document linked from subsequent pages. Wget can be and is often used to set up “mirror” websites. And it's free and open source—only the overhead associated with a support contract would push it into the realm of “low-cost.”

Further Reading

Ars talks to an ex-NSA pro who filed unlawful sharing complaints—only to be shunned.

As Ars has previously reported, the NSA has little if any internal compartmentalization of its classified documents since the organization shifted to a culture of sharing in the wake of the September 11, 2001 attacks on the World Trade Center and Pentagon. That minimal security gave Snowden access based on his clearance to a significant amount of the NSA’s internally shared documents. And despite efforts following the WikiLeaks scandal to better monitor the activities of cleared users within the NSA’s networks, the NSA’s moves to increase security never reached the facilities in Oahu where Snowden worked. Bandwidth limitations on the NSA’s internal network made the deployment of the software there impractical.

It’s not clear whether the sources who spoke to the Times were simply trying to discredit the mythos of Snowden as some “uber-hacker” who used elite skills to defeat the NSA’s internal security or if the backchannel was for internal political reasons. But the report reveals nothing really new about Snowden’s collection efforts. It simply highlights how extraordinarily bad the NSA’s internal security regime was.

Root has its privileges

Anyone with a Top Secret/Sensitive Compartmented Information (TS/SCI) clearance at the NSA would have had access to nearly everything Snowden touched. But because of the extraordinary level of leeway given to system administrators by the NSA, Snowden was able to scoop most of it up, put it on USB drives, and carry it off without generating much suspicion at all. Snowden was allegedly able to explain away his large-scale, scripted accessing of the data on the NSA’s WebWorld intranet as part of his job as a system administrator. And his activities were allowed to continue with little to no oversight.

According to one official who spoke to the Times anonymously, Snowden’s activities were “challenged a few times.” But on each occasion, Snowden offered what seemed to be legitimate excuses for the access—he was, after all, in charge of moving content into a newer, more secure system, according to NSA Director of Technology Lonny Anderson.

Wget would be exactly the type of tool Snowden would have used to do that sort of task—Anderson said he was part of the team moving content to a new “tagged” system that would allow for greater auditing and control over who accessed documents in the WebWorld intranet.

Using some fairly simple scripts, Snowden would have been able to execute crawls of targeted parts of the NSA’s intranet without the need to hang around and hunt for data manually. He could go about his daily business as an NSA system administrator while a computer downloaded the contents of the NSA’s network of Wikis and other Web-based document stores.

Insider blind spot

Intelligence officials have claimed that Snowden was able to do all this largely because the Oahu NSA facilities had not gotten the software purchased to prevent insider threats in the wake of WikiLeaks. “He was either very lucky or very strategic” to get the positions he held in Hawaii, one official told the Times. But it’s also entirely possible that his activities would have gone unchecked in any case, simply because of his system administrator status.

The software deployed to prevent insider threats focused largely on client machines to watch for “exfiltration”—the removal of data from the network. But Snowden would have been able to download the data directly from servers and find other ways to dodge auditing, all while chalking up the activity to sysadmin duties.

99 Reader Comments

It’s not clear whether the sources who spoke to the Times were simply trying to discredit the mythos of Snowden as some “uber-hacker” who used elite skills to defeat the NSA’s internal security or if the backchannel was for internal political reasons. But the report reveals nothing really new about Snowden’s collection efforts. It simply highlights how extraordinarily bad the NSA’s internal security regime was.

On the other hand, guys like weev go to prison for using wget. And it was a big story that Snapchat was "hacked" because they didn't have anti-scraper stuff.

Snowden would have been able to download the data directly from servers and find other ways to dodge auditing, all while chalking up the activity to sysadmin duties.

LIES!!! The way I hear it, he used some super secret high tech program he got from the Russians, who got it from the Chinese of course. He also used said system to blackmail his superiors to give him that Hawaii post.

I don't understand why they didn't fix this after Manning exposed the problem. It was obvious then, but they chose to throw a kid under the bus (35 years in prison) instead of the senior officers who allowed someone untrustworthy to access the data in the first place.

Anyone with admin access might have been able to do what Snowden did.Chances are it's happened before, more than once, for less noble reasons than Snowden's. A huge number of people had access to that data, and you can bet that a few of them weren't above selling some of it to a foreign government.

Snowden gives the documents to the papers. So what prevented some other admin doing the same but selling them to the Russians or the Chinese? NSA would not know, unless they happened to be listening to Russian and Chinese calls or reading emails.

Anyone with admin access might have been able to do what Snowden did.Chances are it's happened before, more than once, for less noble reasons than Snowden's. A huge number of people had access to that data, and you can bet that a few of them weren't above selling some of it to a foreign government.

This is my biggest complaint about the NSA spying. As much as I'm worried about law enforcement knowing all my secrets, that's barely even a consideration compared to my worry about organised crime getting their hands on my stuff which is definitely happening if the security is this lax.

I used to work at a DoD facility next to some NSA trailers. We had to put ridiculous USB port plugs on our machines, and get a waiver to connect any external disk to a system. Meanwhile next door...

They're a lot less catious now:

Washington Post wrote:

When Coombs pressed Adkins on why Manning was not removed from duty, despite the letter and other signs of distress, the sergeant responded that the unit was short-staffed and that the analyst’s skills were essential to the mission.

Manning was working with intelligence and there was evidence he couldn't be trusted, but they kept him at his post.

Wget would be exactly the type of tool Snowden would have used to do that sort of task—Anderson said he was part of the team moving content to a new “tagged” system that would allow for greater auditing and control over who accessed documents in the WebWorld intranet.

I find it interesting that Hollywood vfx companies have stricter security policies. As a vfx artist, I was working on a feature film ( with 500 other people) and plugged a USB stick in that had a bunch of utilities I regularly use. Within 5 minutes an it guy appeared wanting to check why I had a USB stick and what I was doing......and that's lax compared to working on tv commercials for car companies. Some of them will not supply cad models unless they audit the facility first, and they insist the workers cannot have Internet access and all USB ports are disabled.Funny that film companies and car companies are more paranoid than the NSA.

I find it quite remarkable that the outpost in Hawaii on the one hand did not have enough bandwith for new security monitoring program and on the other hand did have enough bandwith to download those millions of documents. Seems like a contradiction.

Anyone with admin access might have been able to do what Snowden did.Chances are it's happened before, more than once, for less noble reasons than Snowden's. A huge number of people had access to that data, and you can bet that a few of them weren't above selling some of it to a foreign government.

This is my biggest complaint about the NSA spying. As much as I'm worried about law enforcement knowing all my secrets, that's barely even a consideration compared to my worry about organised crime getting their hands on my stuff which is definitely happening if the security is this lax.

This is a big point of why I hate giving out personal info if I don't need to, be it for a forum user account or a pair of pants I buy at Sears. I can't say I believe in conspiracies, however, what I believe and know is that companies are very lax with security in regards to customer info. When you give your information to anyone (or when they take it with some or none of your consent) you're trusting they'll keep it safe.

It's not that I assume the entity has evil intentions (although in the case of NSA...), but that they're idiots and there are plenty of people out that do. And they're not above stealing a little customer info (Target anyone?)

1.7m documents to prove mass warrantless surveillance? Sounds like overkill to me. I wonder what else he was hoping to accomplish... Whatever he could get away with, I suspect.

No no no. You're missing the point. He didn't need all of those documents to prove mass warrantless surveillance. If you suspect the data exists that proves your point, sometimes you have to download a lot of stuff and then sort it out later to find the stuff you were really looking for.

the NSA’s moves to increase security never reached the facilities in Oahu where Snowden worked. Bandwidth limitations on the NSA’s internal network made the deployment of the software there impractical.

So the WLAN wasn't robust enough to handle the new security software, but it was good enough for Snowden to grab 1.7 million documents off of it? Maybe that software needs to be optimized -- unless the 1.7 million document were stored locally in Oahu.

There was a myth that Snowden was an "uber hacker?" The only people that believed that were the same ones that believe "downloading lots of documents without permission" makes you a hacker by itself - ie, the government.

I don't read this as the NSA having poor security. I read it as the NSA had one of the people in its inner circle betray them. No matter how secure your organization is, you will always have a handful of sysadmins at the centre of everything, with the know-how and passwords to circumvent all access control lists and auditing. An extremely well designed system will require a conspiracy of more than one of those people to defeat, but those people still exist.

Better defense-in-depth may have been wise, ie. searching people for USB sticks at the exit, etc. but then you're gaining negligible security for a cost that's pretty controversial (ie. TSA). Honestly the NSA should worry less about data walking out the door and more about not having anything incriminating in the data to begin with. If they obeyed the law, you'd only have foreign intelligence to contend with, and not whistle-blowers.

Better defense-in-depth may have been wise, ie. searching people for USB sticks at the exit, etc. but then you're gaining negligible security for a cost that's pretty controversial (ie. TSA). Honestly the NSA should worry less about data walking out the door and more about not having anything incriminating in the data to begin with. If they obeyed the law, you'd only have foreign intelligence to contend with, and not whistle-blowers.

In reference to sensitive data, I tell customers all the time, "your largest unrecognized threat is IT and janitorial staff." If you are going to monitor, audit, background check anyone...start there. One has all the logical keys, the other, all the physical keys.

I don't read this as the NSA having poor security. I read it as the NSA had one of the people in its inner circle betray them. No matter how secure your organization is, you will always have a handful of sysadmins at the centre of everything, with the know-how and passwords to circumvent all access control lists and auditing. An extremely well designed system will require a conspiracy of more than one of those people to defeat, but those people still exist.

Better defense-in-depth may have been wise, ie. searching people for USB sticks at the exit, etc. but then you're gaining negligible security for a cost that's pretty controversial (ie. TSA). Honestly the NSA should worry less about data walking out the door and more about not having anything incriminating in the data to begin with. If they obeyed the law, you'd only have foreign intelligence to contend with, and not whistle-blowers.

Well, yes and no. Snowden was/is a guy with good intentions who wanted the public to be aware of what the NSA was doing. What if they had an Aldrich Ames in their midst? That would be far more dangerous to US national security, imo.

I don't read this as the NSA having poor security. I read it as the NSA had one of the people in its inner circle betray them. No matter how secure your organization is, you will always have a handful of sysadmins at the centre of everything, with the know-how and passwords to circumvent all access control lists and auditing. An extremely well designed system will require a conspiracy of more than one of those people to defeat, but those people still exist.

Better defense-in-depth may have been wise, ie. searching people for USB sticks at the exit, etc. but then you're gaining negligible security for a cost that's pretty controversial (ie. TSA). Honestly the NSA should worry less about data walking out the door and more about not having anything incriminating in the data to begin with. If they obeyed the law, you'd only have foreign intelligence to contend with, and not whistle-blowers.

1.7m documents to prove mass warrantless surveillance? Sounds like overkill to me. I wonder what else he was hoping to accomplish... Whatever he could get away with, I suspect.

No no no. You're missing the point. He didn't need all of those documents to prove mass warrantless surveillance. If you suspect the data exists that proves your point, sometimes you have to download a lot of stuff and then sort it out later to find the stuff you were really looking for.

Do you see now?

I think he would have known where to find what he was looking for, and wasn't randomly downloading everything to see if there was anything 'unwarranted'...

I don't understand why they didn't fix this after Manning exposed the problem. It was obvious then, but they chose to throw a kid under the bus (35 years in prison) instead of the senior officers who allowed someone untrustworthy to access the data in the first place.

No need for either/or. Bradley Manning knew what he was doing and deserved the sentence he received. Of course you are *entirely* right that the officers who designed and managed the systems (as well as the auditors who audited them, unless they clearly reported it and were ignored) should have received at LEAST the same punishment. Actually more, *because* they were officers.

Manning was a vindictive, screwed up man/child who made very bad choices, and who paid the price. Adults make decisions, and reap the benefits or the costs. Such is being an adult. Snowden is a more complex case, IMO (in terms of motivations).

But being a manager/leader/officer magnifies everything. These are not cases of simple oversight, or "reasonable" management discretion. I have done security auditing for a decade, and if *my* company had these kind of stunning poor controls over segmentation and sensitive information management (as well as endpoint security and egress monitoring/filtering) *somebody* making big coin would be "exploring other opportunities" pretty quickly.

I would expect AT LEAST that much from the people we entrust with our national security.

I find it quite remarkable that the outpost in Hawaii on the one hand did not have enough bandwith for new security monitoring program and on the other hand did have enough bandwith to download those millions of documents. Seems like a contradiction.

The real contradiction is that anyone would make this claim at all (not enough bandwidth)...

With the budget the NSA has? With the mission of the NSA (basically band-width intensive)? How could a massively-funded operation, not have the best bandwidth in the world given its resources and mission?

Even if it had limited bandwidth, could it not have sent a box of DVD's with this program on it and installed it locally?

Something about the bandwidth excuse sounds as fishy as all the crap overflowing every time Clapper opens his trap...

Oh, and if all this information was as integral to american defense, and people will die, how come there were not two guys managing the operation simultaneously and watching over each other, like the guys in the minuteman silos do???

I don't understand why they didn't fix this after Manning exposed the problem.

According to the article, Snowden was part of the team hired to fix the problem:

Quote:

Anderson said he was part of the team moving content to a new “tagged” system that would allow for greater auditing and control over who accessed documents in the WebWorld intranet.

Eventually you have to trust someone with the task. The NSA and/or the contractor trusted the wrong person.

With proper tracking and oversight, you don't have to trust any one person.

Yep. segregation of duties + technical controls = no one person who can steal ALL your toys. One contractor holds the encryption keys and zero admin rights. Another contractor has limited admin rights, but doesn't get near the data itself. And a third (or *you) watch over everything with SIEM and monitoring.

This isn't rocket science either. As an auditor, I look for SoD in pretty much every audit. You'd think the NSA auditors would care about it at least as much as my companies have cared about it for claims systems, eh?

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.